[00:00.000 --> 00:03.080]  I hope you are doing great and safe.
[00:03.660 --> 00:12.000]  First of all, before starting my presentation, I would like to thank the organizers, sponsors,
[00:12.560 --> 00:17.840]  Omar Santos and yet another security community, Yass, for their support.
[00:19.800 --> 00:27.300]  This is my honor to speak at Defcon Writing Village, and I'm really excited about this.
[00:27.300 --> 00:34.300]  So, this talk, I think, is really interesting because we are going to take a look at the
[00:34.300 --> 00:41.780]  mobile network, which is used by mobile operators and many other entities all around the world.
[00:41.940 --> 00:50.160]  This area of test contains many, many valuable information like user location, user unique
[00:50.160 --> 00:56.400]  information and phone number related data.
[00:56.400 --> 01:03.120]  The important thing in this talk is that we are going to review all possible bypassing methods
[01:03.120 --> 01:10.700]  because I think you may hear much about Telecom and SS7 vulnerabilities and hacking.
[01:11.000 --> 01:17.560]  So, the purposes of this talk are to address all those bypassing techniques from a Red Teamer
[01:17.560 --> 01:22.700]  perspective. If you are ready, let's get started.
[01:25.410 --> 01:35.310]  So, first I want to introduce myself. I'm Ali Abdullahi, a cybersecurity enthusiast with over
[01:35.310 --> 01:42.630]  eight years of experience in a variety of fields trying to make the world a safer place.
[01:42.950 --> 01:49.610]  I'm an instructor at Hacking9 and an active researcher and bug hunter. I'm a regular speaker
[01:49.610 --> 01:57.090]  and trainer at famous cybersecurity and hacking global conferences like COCON, TyphoonCon,
[01:57.090 --> 02:05.330]  Texas Cyber Summit, OAS, AppSec Days, Confidence, and this year proudly announced that I accept
[02:05.330 --> 02:11.070]  Red Team Village. I'm a speaker and trainer at Aerospace and AppSec Villages.
[02:15.640 --> 02:23.040]  As you can see, there are many security incidents and news about vulnerabilities and hacking
[02:23.040 --> 02:30.280]  mobile infrastructures, including protocols, communications, and interconnections.
[02:30.280 --> 02:40.140]  In the top left corner, there is news regarding attacking financial organizations and the ATM
[02:40.140 --> 02:49.980]  infection by exploiting SS7 protocol. In this case, hackers tried to intercept authorized
[02:49.980 --> 03:00.540]  payment phone SMS to exploit them. So, because one of the most usable attacks in SMS interception
[03:00.540 --> 03:09.180]  and spoofing, in the lower left corner, you can see a news about abusing telecom protocol
[03:09.180 --> 03:19.300]  to target UK Metrobank in 2019. In this scenario, hackers tracked and intercepted text messages
[03:19.300 --> 03:28.120]  to gain unauthorized access to banking accounts. In the top right corner, you can find another
[03:28.120 --> 03:35.520]  news regarding fixing SS7 and telecom vulnerabilities in US, which would be very helpful to secure
[03:35.520 --> 03:43.840]  the communications and subscribers' private info. So, the last one is news about sending
[03:43.840 --> 03:51.700]  tweets via SMS, which patched by Twitter to avoid unwanted and harmful tweets and combating
[03:51.700 --> 04:03.520]  malicious actors. So, now the question is that what types of attacks and vulnerabilities
[04:04.340 --> 04:11.860]  threaten mobile networks and subscribers and why they are important to red teamers?
[04:11.860 --> 04:21.060]  So, the first possible attack category is subscriber data leakage. Actually, subscriber
[04:21.060 --> 04:27.680]  data leakage is a vital part for red teamers to set up their next steps and scenarios.
[04:27.680 --> 04:34.220]  In this part of the scenarios, they will retrieve subscribers in C number and other stuff.
[04:34.220 --> 04:41.300]  Next one is network data leakage, which is very important for a teamer to understand
[04:41.300 --> 04:50.860]  what's happening inside mobile core network and what kind of devices are in place there.
[04:50.860 --> 04:59.880]  Finding mobile subscribers' location is one of the most critical issues. So, based on
[04:59.880 --> 05:06.300]  this attack, criminals can retrieve subscribers' CGI or Cell Global Identifier and convert
[05:06.300 --> 05:16.120]  it to MCC, Mobile Country Code, MNC, Mobile Network Code, and LAC or Lack Location Area
[05:16.120 --> 05:24.420]  Code and Cell ID or CID to find the actual sector which the subscriber connected to.
[05:25.240 --> 05:32.460]  Sniffing is the next scenario which points to voice and SMS interceptions. Spoofing is
[05:32.460 --> 05:40.780]  another test case, which is very interesting because if you want to take advantage of it
[05:40.780 --> 05:48.000]  as a red teamer, you may perform a call with fake caller ID or send a SMS via fake number.
[05:48.340 --> 05:54.380]  The last attack category is fraud. Red teamers can perform malicious uses to requests, call
[05:54.380 --> 06:01.700]  redirection, SIM card profile swapping, etc. to done fraud attack categories.
[06:05.610 --> 06:12.650]  Now, we are starting our bypassing journey one by one. So, first of all, we are going
[06:12.650 --> 06:17.670]  to talk about radio segment, which is the most accessible part of a mobile network.
[06:17.670 --> 06:25.970]  As you can see here, we have a big picture of radio access network or RAN in different
[06:26.330 --> 06:37.230]  technologies. BTS in 2G or GSM, NodeB in 3G or UMTS technology, and eNodeB in 4G or LTE
[06:37.230 --> 06:43.870]  networks. So, there is a connection between cell towers to the core networks and based
[06:43.870 --> 06:51.210]  on your traffic type, means voice or data, the data passed through to CS core or circuit
[06:51.210 --> 07:05.450]  switch network or packet switch network. In this picture, we have 5G architecture. Most
[07:05.450 --> 07:13.590]  of elements are different, but from a red teamer point of view, security flaws and opportunities
[07:13.590 --> 07:21.490]  in traditional technologies still available here. Please note that 5G has its own vulnerabilities
[07:21.490 --> 07:28.830]  and because of IP backbone and software usage in this generation, many other doors open
[07:28.830 --> 07:41.440]  to hackers. Now we are going to review all possible vectors for a red teamer when facing
[07:41.440 --> 07:48.380]  with a mobile network. First is mobile RAN, radio access network, so red teamer needs
[07:48.380 --> 07:56.380]  to be in radio field and needs to have some sort of tools like hardware and software.
[07:56.380 --> 08:03.520]  Second is signaling network or CS. So to do this, red teamer needs to have access to
[08:03.520 --> 08:12.700]  the signaling network. Red teamer can buy the access from dark web even or officially
[08:12.980 --> 08:18.760]  from telco providers all around the world or based on the contract retrieved from the
[08:18.760 --> 08:25.840]  network owner. Data network is more easier because most of attacks can perform from the
[08:25.840 --> 08:41.950]  internet and some of them from a signaling point. Okay, now we are going to review security
[08:41.950 --> 08:48.890]  mechanisms in radio access network or radio security. The first one is mobile device registration
[08:48.890 --> 08:58.490]  using IMEI. Second is enabling ciphering algorithms to fight against interception and man-in-the-middle.
[08:58.490 --> 09:06.290]  Third item is using only LTE or LTE advanced or some other advanced mobile technologies
[09:07.290 --> 09:17.980]  instead of traditional mobile core networks in 2G and UMTS. So as you can see here, this
[09:17.980 --> 09:27.720]  is the big picture of a radio access network and you can see it is in LTE generation, fourth
[09:27.720 --> 09:37.780]  generation. Radio access network in this technology called EUTRAN or Evolve EUTRAN
[09:37.780 --> 09:45.640]  and the inode beads are here. They are connected to each other using X2 interfaces and they
[09:45.640 --> 09:59.800]  are connected to the core network using S1 interfaces. Okay, why using IMEI policies?
[10:00.980 --> 10:08.720]  Actually to fight against phone smuggling, lawful and security monitoring, tracking stolen
[10:08.720 --> 10:20.300]  devices and criminals are the most usage of mobile device registration or IMEI based policies.
[10:22.620 --> 10:33.100]  Okay, now with the help of Motorola phone C115 and C118 and OSMOCOM BB software, we
[10:33.100 --> 10:42.880]  can set an invalid or fake or even duplicate IMEI and set up a call to test network reactions.
[10:42.880 --> 10:50.380]  So this is the bypass, the first bypass in radio access network. According to the screenshot
[10:50.380 --> 11:00.970]  here, network sends identity request to my phone and the type of identity was IMEI. So
[11:00.970 --> 11:15.170]  I replied to it using an invalid IMEI set to all zero. So the network accepted my invalid
[11:15.170 --> 11:32.220]  IMEI because ciphering procedure is completed. So there are some types of ciphering keys
[11:32.220 --> 11:43.540]  like KC, SRS and random number in radio access network which harden the radio network to
[11:43.540 --> 11:52.120]  avoid active sniffing and they always store in HLR or HSS in core network. HLR or HSS
[11:52.120 --> 12:00.420]  as subscriber database has components called AUC or authentication center which responsible
[12:00.420 --> 12:12.910]  for ciphering and authentication procedures. To bypass and get these information, we are
[12:12.910 --> 12:21.770]  going to targeting AUC in HLR or HSS by abusing SS7 and signaling access as a Roman partner.
[12:21.770 --> 12:31.170]  As you can see, I sent a malicious SS7 map SAI or send authentication info to targeted
[12:31.170 --> 12:37.470]  core network from SS7 network to retrieve ciphering information and the network respond
[12:37.470 --> 12:54.640]  me via RAND, SRS and KC values in clear text. Another security mechanism is using advanced
[12:54.640 --> 13:01.000]  technologies to bring highest quality and performance, having more security and privacy
[13:01.000 --> 13:09.320]  in core and radio segments and other factors like voice over LTE, VoLTE, flexibility, etc.
[13:15.190 --> 13:27.290]  Okay, so let's review first round of bypassing method. Totally, there is a general way and
[13:27.910 --> 13:33.630]  it is downgrading subscribers to traditional technologies like 3G and 2G which are vulnerable.
[13:33.630 --> 13:45.990]  To perform downgrading, we need to use a signal jammer. Security in circuit-search network.
[13:46.550 --> 13:54.270]  There are two main security solutions in this segment of network and the first is using
[13:54.270 --> 14:03.960]  SMS home routing and the second one is signaling firewall. Home routing acts as a proxy and
[14:03.960 --> 14:10.640]  the definition of home router is to hiding subscriber EMC number which is very valuable
[14:10.640 --> 14:19.600]  information to perform other hacking scenarios from a red teamer perspective. As you can
[14:19.600 --> 14:28.980]  see, red teamer requests to receive EMC number from HLR HSS and the HSS responds with real
[14:28.980 --> 14:41.460]  value. However, home router changes the value with a fake one. So, the main issue is that
[14:41.460 --> 14:49.940]  how we can detect if home routing is enabled or not. Just need to send two or more malicious
[14:49.940 --> 14:59.200]  SS7 messages like send routing info for SM or SRI for SM. If you receive different responses,
[14:59.200 --> 15:09.360]  it means that SMS home routing is in place. As you can see here, red teamer or our tester
[15:09.360 --> 15:23.520]  sends two different messages or the same message two times and responses are different as you
[15:23.520 --> 15:35.880]  can see. And the main issue is SMS router here because in both cases, HLR HSS responds
[15:36.520 --> 15:50.460]  with a real number. However, SMS router changes the actual value. In telecommunications, we
[15:50.460 --> 15:58.560]  have three types of GTs or global title which act as IP address. MSISTN consists of MCC or
[15:58.560 --> 16:09.900]  Mobile Country Code, NDC and SN. EMC consists of MCC, MNC or Mobile Network Code and MSIN.
[16:09.900 --> 16:19.240]  MGT consists of MCC, NDC and MSIN. As you can see, red teamer can use MGT number and a valid
[16:19.240 --> 16:25.960]  random EMC number to request other information regarding the targeted mobile number and it's
[16:25.960 --> 16:41.350]  really easy. Signaling firewall. Mobile operators use signaling firewall to protect their
[16:41.350 --> 16:48.410]  signaling infrastructure. Signal packet inspection, filtering, white and blacklisting.
[16:57.080 --> 17:06.360]  Bypassing signaling firewall. So to bypass these kind of firewalls, we need just to play with TCAP.
[17:08.280 --> 17:18.400]  What is TCAP? TCAP is a SS7 sub-protocol and it's like TCP. TCAP enables the deployment of advanced
[17:18.400 --> 17:27.340]  intelligent network services by supporting non-circuit related information exchange between signaling
[17:27.340 --> 17:35.400]  points using the SSCP connectionless service. TCAP provides the framework to retrieve information or
[17:35.400 --> 17:45.380]  invoke remote operations that offers the means for end users in the SS7 network to query another end
[17:45.380 --> 17:56.500]  office and act as the software interface between an SS7 point and database services in order to
[17:56.500 --> 18:16.480]  obtain data from the SS7 network. To perform bypassing, we need to remove application context name
[18:16.480 --> 18:27.600]  from TCAP or sending double operation message. The application context name or ACN is used for all
[18:27.600 --> 18:36.620]  supported ITU TCAP messages except abort message. No attempt to retrieve the ACN is made for abort
[18:36.620 --> 18:44.240]  messages. All other supported messages may have a dialogue portion containing dialogue request,
[18:44.240 --> 18:53.320]  unidirectional dialogue, and dialogue response PDU from which the ACN is retrieved. If no dialogue
[18:53.320 --> 19:02.700]  portion is detected, then the ACN is assumed to be none. The TCAP opcode based routing feature
[19:02.700 --> 19:13.620]  attempts to find the opcode in all supported TCAP messages except abort. These messages must contain
[19:15.060 --> 19:26.840]  invoke or return result, stand for last or not last as the first component. If not, the opcode is assumed
[19:26.840 --> 19:42.220]  to be none. So, removing application context name from TCAP message. To start the procedure, we need to
[19:43.240 --> 19:54.920]  remove dialogue request section from all malicious SS7 messages. Then, there will not be application context
[19:54.920 --> 20:09.410]  name to point to malicious SS7 map message or mobile application part message. So, this is the second
[20:09.410 --> 20:20.180]  bypassing method, sending double operation message. Actually, most of signaling firewall block or accept
[20:24.290 --> 20:43.790]  a message based on message type. So, each signaling message has its own opcode and it's a vital number. According to
[20:43.790 --> 20:54.150]  the picture, Red Team is trying to put a legitimate SS7 map message opcode in the first step. So, it seems a
[20:54.150 --> 21:04.540]  legitimate one. And then, put a malicious SS7 map message. So, signaling firewall check just the first
[21:04.540 --> 21:19.140]  operation code which is pointing to a legitimate operation. After that, the component inside the core network
[21:19.990 --> 21:30.460]  reply to signaling firewall or actually our Red Teamer here in this scenario and trying to keep session which is
[21:30.460 --> 21:46.560]  legitimate and valid. And ask to send the message again. So, our Red Teamer says thanks and this is what he wants.
[21:47.400 --> 22:03.230]  And still, the whole session is still available and legitimate as well. So, HL or HSS or signaling point inside
[22:03.230 --> 22:14.770]  our core network will respond with real subscriber EMSI number and network information. And this is what actually
[22:14.770 --> 22:26.140]  our Red Teamer wants. As I mentioned, in past several years, mobile network operator and telecom providers turn
[22:26.140 --> 22:37.080]  against telecom and especially SS7 attacks and enable many security mechanisms. In this talk, I tried to explain
[22:37.080 --> 22:46.080]  all possible bypassing techniques in all network segments in telecom infrastructures. We must consider that
[22:46.080 --> 22:54.280]  Red Teaming is very important because in these networks, we are dealing with millions of user private data. Be careful
[22:54.280 --> 23:03.880]  that blind hardening and buying security appliances or software because they are not fair enough. We must have
[23:03.880 --> 23:13.480]  behavior analysis and continuous monitoring as complementary solutions. Thank you very much for your attention.
[23:13.480 --> 23:21.980]  I'm still available for any questions. I hope you enjoyed this talk and please in touch with me.
